A container is the rare workload with a knowable normal. Unlike a general-purpose server, a container image is built to run one application, so the set of processes it should ever spawn is small and predictable. That predictability is a security gift: anything outside the expected set is suspicious by definition.
Twistlock, Ltd's US10943014B2, “Profiling of spawned processes in container images and enforcing security policies respective thereof” (issued March 9, 2021; CPC G06F 21/53 — execution in a protected environment, and G06F 21/577 — assessing vulnerabilities), describes building a profile of the processes a container image spawns and enforcing policy against it. Read it at US10943014B2.
Mechanically, the system observes a container image to learn its legitimate process behavior, then enforces that learned profile at runtime — if a web server container suddenly spawns a shell or a crypto-miner, that deviation violates the profile and the policy engine acts. This is allow-listing reborn for the container era, made practical because the workload's scope is narrow.
Why this is a business story: Twistlock was acquired by Palo Alto Networks in 2019 for roughly $410 million and became the core of Prisma Cloud, the cloud-workload-protection platform that anchors Palo Alto's cloud-security revenue line. This process-profiling IP is part of what that acquisition bought — the runtime-enforcement engine that differentiates a real cloud-workload-protection product from a vulnerability scanner.
The grounded read: container process profiling exploits the fact that containers have a knowable normal, then enforces it. Twistlock's 2021 grant names that learn-the-profile, block-the-deviation mechanism that became central to Palo Alto's Prisma Cloud.